To collect log information from a stand alone Windows (Vista in this case) workstation, download and install the Splunk Universal Forwarder splunk-4.3-115073-x86-release.msi Follow the install configuration and select the WindowsEventLog : Security and whatever performance monitoring is required. Enter the IP address of the Splunk indexer/search head and the host IP address as directed. If the default port (9997) was selected ensure that the indexer firewall is set to allow connections from the forwarder on this port. In addition to the standard windows event logs: Application log (tracks events that occur in a registered application) Security log (tracks security changes and possible breaches in security) System log (tracks system events) a couple of useful logs to forward are the windows update log and the windows firewall log. Start Notepad and run as administrator. Open C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and edit as follows: